Friday, October 06, 2006

A Dutch post (mirrored here) discusses the ease with which the computer used by most voters in the Netherlands can be reprogrammed to produce any desired result (or even to play chess).

90% of the of the votes in The Netherlands are cast on the Nedap/Groenendaal ES3B voting computer. With very minor modifications, the same computer is also being used in parts of Germany and France. Use of this machine in Ireland is currently on hold after significant doubts were raised concerning its suitability for elections...

The Nedap ES3B electronic voting computer is a system that belongs to the DRE (Direct Recording Electronic) class of voting computers. As such it only records the votes in memory. The system requires ultimate trust, since it produces an official election outcome that cannot be verified independently. In this paper we describe the results of an independent review of the Nedap ES3B electronic voting computer that was done without consent of the manufacturer, without access to source code, and within roughly one month.

This paper details all the steps we needed to take to create and install our own demonstration software on the machine, as well as a modified version of its own software: a version that lies about the election results. It also details a practical attack that allows a remote observer to get some information about what is being voted on an unmodified Nedap ES3B computer by exploiting compromising radio emanations from the device...

We believe public elections are pointless unless people have the right and the meaningful possibility to verify that that their votes are counted correctly...

We took apart these computers because we believe we had a right to find out how our own elections work. We published this paper because we believe that you, the voter, have a right to know what independent experts think of the computers that count your vote...

Because we wanted our results to be available before the November 22nd of 2006 Dutch national parliamentary elections, we were in a hurry. This preliminary report is the result of a month’s worth of work. Much more research needs to be done and there are very definite open questions...

The key system chosen by Nedap for both the locks on the voting computer is the “C&K YL Series 4 Tumbler Camlock”. This lock always comes with the same key (marked “A126”), which probably explains why the same key is used on all 8000 ES3B machines throughout The Netherlands. Spare keys can be ordered separately online for roughly a Euro each by searching for the product number: 115140126. We ordered, payed for and were subsequently supplied with 100 of these keys without any problem. According to the product datasheet, typical applications for this lock include “copy machines and office furniture”. Even if spare keys were not so readily available: this is quite literally the type of lock we can open with a bent paperclip...

The ISS software has a ‘maintenance mode’ that is supposed to be only accessible to members of the “verkiezingswacht”, the Nedap election-day helpdesk. You need a password to get the software in this mode. A quick look in the binary revealed this password to be “GEHEIM”, the Dutch word for “SECRET”. The maintenance mode, among other things, allows the helpdesk to read the binary contents of a ballot module plugged into the programming slot of a reader unit. By sniffing the serial commands between the ISS software and the reader unit, we figured out how to issue these commands ourselves and subsequently wrote a program in Tcl that we could use to read the entire contents of a ballot memory module...

It started with what we thought was a very obvious statement. We claimed on our website that the Nedap was just another computer, and that as such it could just as easily be programmed to play chess or to lie about the election results. We didn’t think more of it until Jan Groenendaal, placed a document on the Nedap/Groenendaal website to talk about our website "Wij vertrouwen stemcomputers niet". In it, he says: “[...] And with regard to the claim that our machine can play chess: I’d like to see that demonstrated”.

So obviously, one of our first goals now that we had access to the device was to make it play chess. Apart from proving our point, programming it to do this would also confirm that we knew everything we needed to know about the hardware before getting into the election fraud business. After having learned roughly how the hardware worked we used a gcc 68000 crosscompiler to create a Nedap IO-library containing functions to initialize the system, write data to the display, read the keyboard, and write debug messages to the UART. Together with newlib, a small clib implementation, we then managed to compile and run Tom Kerrigan's Simple Chess Program (TSCP). This was non-trivial only because we had to squeeze out quite a few tables to make it run using only the available 16 kBytes of RAM. Getting the chess pieces to magnetically attach (the keyboard is mounted at an angle) was also not that easy since the foil switches are stuck to a plastic base. We ended up using using 2 and 5 Eurocent coins underneath the paper, taped such that we could press the underlying foil switches with the edge of the coin.

It knows all the rules and every now and then it can be surprisingly clever for what it is. But in all honesty we have to admit that it does not play chess all that well...

We then built “hooks” into the regular ES3B code. Every time a voter casts a ballot, our code generates a random number between 0 and 100. If the number is below the programmed percentage of votes we want to steal, that vote is not written to the ballot module but one is added to the corresponding 16-bit number in EEPROM. At the end of the election, our software determines whether this was a real election or not. It then proceeds to, either honestly or fraudulently, quickly write these votes into random locations in the ballot module, just like the real software does...

A future version of PowerFraud will also offer a “magic button” function. What this does is allow any voter during the day to press a previously-configured key combination on the voter keypad, followed by the keys needed to cast a vote. The device will then store the party that received that particular vote as the recipient for all the stolen votes, and it will not perform any vote stealing unless the magic button was pressed. This would be impossible to catch using parallel testing.